policy_module(xguest, 1.0.1)

########################################

#

# Declarations

#

## <desc>

## 

## Allow xguest users to mount removable media

## 

## </desc>

gen_tunable(xguest_mount_media, true)

## <desc>

## 

## Allow xguest to configure Network Manager

## 

## </desc>

gen_tunable(xguest_connect_network, true)

## <desc>

## 

## Allow xguest to use blue tooth devices

## 

## </desc>

gen_tunable(xguest_use_bluetooth, true)

role xguest_r;

userdom_restricted_xwindows_user_template(xguest)

########################################

#

# Local policy

#

ifndef(`enable_mls',`

	fs_exec_noxattr(xguest_t)

	tunable_policy(`user_rw_noexattrfile',`

		fs_manage_noxattr_fs_files(xguest_t)

		fs_manage_noxattr_fs_dirs(xguest_t)

		# Write floppies 

		storage_raw_read_removable_device(xguest_t)

		storage_raw_write_removable_device(xguest_t)

	',`

		storage_raw_read_removable_device(xguest_t)

	')

')

# Allow mounting of file systems

optional_policy(`

	tunable_policy(`xguest_mount_media',`

		kernel_read_fs_sysctls(xguest_t)

		files_dontaudit_getattr_boot_dirs(xguest_t)

		files_search_mnt(xguest_t)

		fs_manage_noxattr_fs_files(xguest_t)

		fs_manage_noxattr_fs_dirs(xguest_t)

		fs_manage_noxattr_fs_dirs(xguest_t)

		fs_getattr_noxattr_fs(xguest_t)

		fs_read_noxattr_fs_symlinks(xguest_t)

		auth_list_pam_console_data(xguest_t)

		init_read_utmp(xguest_t)

	')

')

optional_policy(`

	tunable_policy(`xguest_use_bluetooth',`

		bluetooth_dbus_chat(xguest_t)

	')

')

optional_policy(`

	hal_dbus_chat(xguest_t)

')

optional_policy(`

	java_role(xguest_r, xguest_t)

')

optional_policy(`

	mozilla_role(xguest_r, xguest_t)

')

optional_policy(`

	tunable_policy(`xguest_connect_network',`

		networkmanager_dbus_chat(xguest_t)

		corenet_tcp_connect_pulseaudio_port(xguest_t)

		corenet_tcp_connect_ipp_port(xguest_t)

	')

')

#gen_user(xguest_u,, xguest_r, s0, s0)